Policy Agent and WebMethods Portal

Hi,
Is the PolicyAgent required to authenticate users and control the access to resources ?
If yes, can we use the PolicyAgent/AccessManager with any server like for example WebMethods Portal ?
Thanks,
Adel

Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help,

Similar Messages

  • Policy agent and normal portal logon on one portal

    We run a shared portal infrastructure and want to use multiple logon methods for accessing ESS MSS portal applications.
    Is it possible to logon via Policy Agent and with normal sap poral logon to the same application?

    We have 3 bespoke types of SSO logon methods, JAAS, SAML and PKI.
    This means users can logon via our bespoke SSO solutions or via the normal SAP standard delivered logon method with UID and password.
    Currently we are investigating if we can also implement the Sun policy agent as logon method for the Poral and WAS. It should run in parallel with our current solutions without harming them.

  • Access Manager Policy Agent and Oracle AS

    Hi,
    my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
    What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
    Thanks,
    Andy.

    "Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
    "it is NOT an implementation but an integration ! difficult ? why ?"
    "and that Sun arent planning on supporting the Oracle AS in future."
    There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
    "What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
    Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
    1) Please read the documentation.
    http://docs.sun.com/app/docs/coll/1322.1
    Download the one for Oracle and read also the user guide.
    PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
    2) Download the soft and do the job :-)
    Product Downloads
    Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
    http://www.sun.com/download/products.xml?id=455d52ed
    I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
    Hope this helps a bit.

  • Difference between web policy agent and j2ee Policy agent ?

    Difference between web policy agent and j2ee Policy agent ?

    http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view

  • How to manage coexistance of IIS policy agent and sun-passthrough from AS

    We have an ISS 6 with Policy Agent 2.2 and on same instance we have the sun-passthrough plugin installed to redirect certain pages to an Application mounted on Sun App Server 8,2. We need to apply policies to requests to those pages before redirection is done but seams that passthrough plugin is taking precedence over Policy Agent. Therefore, policies are not evaluated and all traffic is passed. PA agent is installed as a wild card and passthrough as an ISAPI filter. We do not see a way to change priority (already set to HIGH) for the passthrough plugin. PA has the option on amAgent.properties and we set it allready to HIGH. Any hint?
    Edited by: blancay on Sep 20, 2008 9:47 AM

    1) How to restrict the new employee from availing any type of leave company have a policy only after completion of probation employee can avail sick leave?
    Note 897623 User Exits in PT
    Use user exit to check It0019 or monitoring of tasks or reminder of dates or 0041 IT
    2) Sick leaves can be availed only after completion of 1 year wht are the settings do i need to set?
    You can use quota deduction and user exit and read dates from 0041 for his entry date in company
    3) Earned leaves can be given to employees those who complete 2 years of service? what are the settings for this?
    base entitlement ie seniority quota check table v_t559l
    4) Intervening holidays and weekly offs can be treated as leaves in sick leave as well as earned leaves what are the customizing settings for this?
    counting rule and exit
    5) only female employees are entitled to avail maternity leave?what are the settings for this?
    feature pe03 MASEX  Set Infotype 80 Admissability for Employees
    read more on help.sap.com

  • URL Policy agent attributes -

    I installed a Policy Agent on a remote Web Server and pointed the policy agent to the Portal's Identity Server .
    When I click on the Policy agent in the Identity Server console , it displays the following message
    "There are no attributes to display for this entry".
    How to obtain the attributes for the URL Policy Agent .Is this a problem concerning the IS . Can anyone throw light on this issue.
    thanx in advance
    raj

    It's the way it supposed to be. There is no configurable attributes for this service.

  • Extending WebLogic policy agent

    Hello all;
    I am using AM policy agent for WebLogic portal server. Is there a way to extend the functionality of this policy agent. I need to make the agent do more than what it provides OOTB. Is there a way to do that? Any suggestions?
    Thanks

    Hi Aaron;
    I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
    Thanks,

  • NSAPI in Access Manager & Policy Agent

    Hi all,
    May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
    I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
    I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
    Thanks in advance!

    Hi all,
    May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
    I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
    I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
    Thanks in advance!

  • Problem: Protect Sun Web Proxy Server 4.0.5 with Policy Agent 2.2

    We are trying to protect the Sun Web proxy Server 4.0.5 with policy agent 2.2 on solaris 10 machine.
    We are using Access Manager 7.1 along with directory server 6.2
    We are trying to protect the web proxy console url http://domain.example.com with that policy agent so that when we hit web proxy console url
    it should through us access manager login page ie http://abc.com/amserver.
    How can we achieve this.What all changes required in the AMAgent.properties file.Please suggest.

    Hi subho,
    problem is fixed. i have unistalled the policy agent and reinstalled it again. the problem i found is we didnt stop the webproxy instance when installing policy agent. Thanks for the reply

  • Need asssitance on openSSO/Access Manager-policy agent on tomcat 5.5

    I'm asking here because there is no help from openSSO forum.
    I know that openSSO is quite the same with java access manager,
    so I assume that openSSO is identical to java access manager.
    I'm very much new to the policy agent and I've tried to test it for my own web application, but it doesn't seems to work.
    Here is my situation :
    I'm using 2 servers:
    1. server using windows XP, installed with tomcat 5.5 and opensso inside (acts as openSSO server).
    I set the IP to be 192.168.0.3 and tomcat web server will be listening on port 8080
    2. server using windows XP, installed with tomcat 5.5 and my web application inside, and the policy agent.
    I set the IP to be 192.168.0.1 and tomcat web server will be listening on port 7070
    my web application is named "akademis" and I can acess it with the usual method on address http://192.168.0.1:7070/akademis.
    I install the policy agent on global web.xml of tomcat configuration and I don't change anything on web.xml of my application.
    when I tried to acess the http://192.168.0.1:7070/akademis , I wa redirected to openSSO login page correctly and I entered username and password(username:amadmin). I passed the login page and being redirected to the page that I wanted, but it doesn't do correctly cause I got a HTTP message of 403 (forbidden).
    I got some clue in the policy agent logs :
    a. the amFilter log
    09/30/2006 01:08:25:890 PM ICT: Thread[http-7070-Processor25,5,main]
    09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
    ERROR: URLFailoverHelper: No URL is available at this time
    09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
    ERROR: AmFilter: Error while delegating to inbound handler: SSO Task Handler, access will be denied
    [AgentException Stack]
    com.sun.identity.agents.arch.AgentException: No URL is available at this time
    at com.sun.identity.agents.common.URLFailoverHelper.getAvailableURL(URLFailoverHelper.java:133)
    at com.sun.identity.agents.filter.AmFilterRequestContext.getLoginURL(AmFilterRequestContext.java:748)
    at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:285)
    at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:258)
    at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:363)
    at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:345)
    at com.sun.identity.agents.filter.SSOTaskHandler.doSSOLogin(SSOTaskHandler.java:210)
    at com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:98)
    at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
    at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    at org.apache.catalina.cluster.tcp.ReplicationValve.invoke(ReplicationValve.java:346)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)
    b. the amLog
    09/30/2006 01:08:09:921 PM ICT: Thread[main,5,main]
    09/30/2006 01:08:10:078 PM ICT: Thread[main,5,main]
    ERROR: RemoteHandler.getLogHostURL(): 'null' is malformed. null
    I think the reson that I failed is not in the openSSO/java access manager, because I get passed the login page, and also in the amFilter log of the policy agent I see an error of "No URL is available at this time" .
    Is there anyone can help me on this problem ? I'll be very glad if somebody can help me.
    thanks

    Please try the fix as suggested in the following and let us know the results.
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271
    http://forum.java.sun.com/thread.jspa?threadID=346820&messageID=1436761
    Thanks,
    Subba

  • Policy Agent SSL?

    I am new to access manager and have used another product that creates self-signed certs for their web agents. The self-signed certs provide an encrypted connection between the web agent and access server. How do I encrypt the connection between the policy agent and access manager? AFAIK I set up SSL for the access manager host and when I create a configuration file for the policy agent I state the access manager server protocol as https. Is it that simple? Will the policy agent be affected somehow when I renew the cert on the access manager host?
    And more general, whats best business practice? I assume you want the traffic between the policy agent and access manager to be encrypted.

    I made mine work by adding the same Root CA certificate and two server certificates from the same CA authority to both AM Web Server and the application (policy agent) web server...
    it really depends, if you application contains some sensitive information benig displayed to your user, you should have SSL on the app server (sun one web server) as well..
    if u renew the CA(root) cert on the AM Web server, the same needs to installed on the app web server as well...
    as a practice, your entire architecture should be on SSL except the DS and AM interaction .. since that is probably behind a firewall - again, depends on your configuration...
    let me know if u need mroe help..
    regards,
    saahil

  • ID Server and Policy Agent for AS .. is secure?

    Hello there,
    I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
    Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
    Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
    Are my assumptions correct? Am I overlooking something?
    (All valid for ID server 6.0 and Liberty protocols)
    Thanks for any help.

    Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
    As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
    The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
    In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
    Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
    I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

  • Policy Agent 3.0 on Websphere Portal 6.1

    Hello
    I am looking into using policy agent 3.0 for Websphere Portal 6.1. Looking at the instructions of policy agent installation, it asks about OpenSSO Enterprise server as a requirement. We currently use Sun Access Manager to authenticate against our LDAP. I have a few follow-up questions
    Do we need OpenSSO Enterprise server or can I use Sun AM urls while installing policy agent?
    Do I need to install agent both on Websphere App server and portal server?
    Any help is appreciated
    thanks

    Policy Agent 3.0.4 installed on Windows 2008 R2 IIS7.5, and the servers is NOT OpenSSO or OpenAM, but Sun Access Manager 7.1.
    Turns out we were using the nightly build, version 3.0.5, not the stable 3.0.4. So we installed 3.0.4 instead. And now it works like a charm :-)

  • Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

    Hi
    I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
    The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
    However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
    The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
    Wondering if anyone has seen this before?
    Here is sanitized output from a trace on the POST and resulting response.
    POST /oslp/?sunwMethod=GET HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-au
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Host: sco88342744.corp.qed.qld.gov.au
    Content-Length: 3496
    Connection: Keep-Alive
    Cache-Control: no-cache
    X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
    LARES=<snip>
    HTTP/1.1 200 OK
    Date: Wed, 16 May 2007 22:25:42 GMT
    Server: Microsoft-IIS/6.0
    Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
    HTTP/1.1 302 Found
    Date: Wed, 16 May 2007 22:25:42 GMT
    Server: Microsoft-IIS/6.0
    X-AspNet-Version: 1.1.4322
    Location: /oslp/user/signon.aspx
    Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Content-Type: text/html; charset=utf-8
    Content-Length: 139
    <html><head><title>Object moved</title></head><body>
    <h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
    </body></html>

    Hi,
    we had the same problem, but we got support
    from readme.txt
    Bug#: 6789020
    Agent type: All Agents
    Description: In CDSSO mode non enforced POST requests cannot be accessed
    Bug#: 6736820
    Agent type: IIS 6 Agent
    Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
    Both bugs should be fixed in this version:
    Sun Java System Web Agents 2.2-02 hotpatch2

  • How to protect both access (http and https) with a Policy Agent

    Hi,
    During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
    If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
    Regards,

    Hi,
    Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
    The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
    The amAgent log file shows:
    +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
    +2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
    +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
    +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
    +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
    Any ideas?
    Regards,
    Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

Maybe you are looking for

  • Ipod wont snyc with itunes

    I had to restore my computer back to the factory issue. It crashed Since then I have had problems with my ipod. I have a fifth generation one that has worked perfectly for 2 years. Since i restored my computer I have had to do the 5r's removed and re

  • Error ORA-27102: out of memory

    I am trying to configure 8i on Solaris Intel and continue to receive this message. I have read a few other posts for users w/ the same problem. Maybe some of you can assist. Any help is very much appreciated. Here are my settings. 40GB HD 512mhz Sola

  • TS3048 Tiny green light continues to blink and no connection is ever made on the screen for both Keyboard and Mouse

    After doing the steps http://support.apple.com/kb/TS3048#1 both keyboard and mouse tiny green light continues to blink and no connection is ever made on the screen.  What could the problem be?  Items are only 4 months old.

  • E71 do not show caller?

    when somebody calls me, phone shows who is calling and everything that it should show ,but when i answer it moves callers name, picture, time and everything that goes with call and it shows on the top of the screen that i have active call but i can n

  • Flash Album export using bananalbum

    This function is really useful but what I want to acheive so far isn't. I would really like to be able to export my images from aperture to a flash album using the banana album plug in without the banana album intro splash appearing. I have a full li